HIM: Ch 11 Slides

Ace your homework & exams now with Quizwiz!

A valid authorization for disclosure of information is required for the following:

-Disclosure of PHI not permitted to be released without an authorization -Psychotherapy notes -Marketing -Sale of PHI

Use and Disclosure without Authorization

-For the purpose of treatment, payments, or healthcare operations (TPO) -Accounting of disclosures -De- identification -Expert determination method -Safe harbor method Re- identification

Biometric Authentication

Allows a user to be uniquely identified and access the system based on one or more biometric traits such as fingerprints, hand geometry, retinal pattern, or voice waves

Software criticality analysis

Assessing systems to determine how crucial the information in the system is to day-to-day healthcare operations and patient care

HIPAA Enforcement

Compliance *internal* Investigations *internal or external* Penalties for violations *internal or external* Procedures for hearings Corrective action plan (CAP) Civil monetary penalty (CMP) Reasonable cause Willful neglect

Emergency mode operation plan

Creates processes and procedures to support the continuation of critical business and patient care operations while protecting the security of ePHI in the event of a disaster

Expert determination method

Data elements that could identify an individual are removed from the data and then an expert, statistician, applies scientific methodology to determine the likelihood of identification of the individual

Data at rest

Data is in storage within a database or on a server where it is no longer being used or accessed

Confidentiality

Data or information is not made available or disclosed to unauthorized people

Disaster recovery plan

Defines the processes for recovery of data in the event of a disaster

Is authorization needed for patient requests record be released to her daughter to support patient care

Depends on age of patient (13 years)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Ensures health insurance portability Establishes standards for electronic claims and national identifiers Protects against fraud and abuse Assures the privacy and security of protected health information (PHI)

Logic bombs

Malware that will execute a program or a string of code, when a certain event happens.

A healthcare organization send medical records to the insurance company for payment of services

No authorization

Is authorization needed for patient does not want his/her name in the patient directory

Oral Authorization Needed

Data backup plan

Organizations must create and store exact copies of electronic protected health information Defines how the system is being backed up, the method of backing up the data, location of the backup, frequency of the backup, and testing of the backup

Privacy Rule

Organizations must implement policies and procedures to address each standard and a process to ensure that they are being followed

Challenges of Privacy and Security in HIE

Patient identity/patient matching Consumer privacy/patient rights

Security

Physical and electronic protection of information

Contingency plan (disaster plan)

Prepares organizations for an event that may happen which could impact the ability to access patient information, the integrity of the information, or the confidentiality of information

Elements of Protecting Patient Information

Privacy Confidentiality Security

Minimum neccessary

Privacy Rule standard that requires that a covered entity or business associate make reasonable efforts to limit PHI

Emergency access

Procedures for getting access to the necessary ePHI in the event of an emergency situation

Security Rule

Required vs. addressable standards Administrative safeguards Physical safeguards Technical safeguards Organizational safeguards

Best practices of Privacy and Security in HIE

Risk analysis Policies and procedures Dedicated individual or team Education of the workforce

Contrary

State law cannot be complied with when 1) covered entity determines that it is impossible to comply with federal and state privacy regs, 2) complance with the state law would create a barrier to compliance with the fed. regs.

d. all of the above, p 308

The Privacy Rule was established to a. protect the rights of healthcare consumers b. improve the efficiency and effectiveness of healthcare delivery c. improve the quality of healthcare d. all of the above

Privacy

The right of an individual to be let alone

Breach Notification Rule

Unauthorized uses and disclosures of PHI (private health information) at any time may be considered a breach; Requires covered entities and business associates to investigate/evaluate if a breach occurred using specific guidelines/protocols *Risk assessment

Examples of Data Security Methods

User authentication, Encryption, Decryption, Malicious software (malware) management

A lawyer requests a copy of a patient's medical records for a litigation

Written authorization

Providers office calls to retrieve emergency room records for a patient's follow up appointment

Written authorization

Trojan horse

a destructive piece of programming code hidden in another piece of programming code (a macro or email message) that looks harmless

The process of making sure the correct patient information is being used or disclosed is called a. Verification b. Confirmation c. Authentication d. Certification

a. Confirmation

A covered entity may use protected health information for whatever means deemed appropriate as long as they are the organization that created the protected health information. a. True b. False

a. False (????)p308

Protected health information can be information about a patient that refers to their past, present or future health and conditions. a. True b. False

a. False, Individually identifiable health information p307

A disclosure is the release, transfer, provision of access to, or divulging in any manner of information inside the organization. a. True b. False

a. True

Security is the means by which the privacy and confidentiality of information is maintained. a. True b. False

a. True, 306

If a state's privacy laws are more strict than HIPAA, the covered entity must follow the state law versus HIPAA. a. True b. False

a. True, 308

______ is an example of a biometric identification used for authentication. a. Voice recognition b. Plastic identification cards c. Advanced algorithm methods d. Personalized numeric pin

a. Voice recognition

The purpose of a notice of privacy practices is to inform patients of a. how a healthcare provider may use and share the patient's health information b. the cost of care c. the organization's mission and vision d. the facility's healthcare statistics

a. how a healthcare provider may use and share the patient's health information, p308

The Privacy Rule

allows the patient to agree or object to disclosure of PHI within the facility directory

Reidentification

an org. can apply a specific code, or other means, to the data for future identification purposes; however the specific code cannot be derived from any type of data elements that come from the patient's health info

Malware

any program that causes harm to systems by unauthorized access, unauthorized disclosure, destruction, or loss of integrity of any info

Addressable Standards

as amended by HITECH, the implementation specifications of the HIPPA Security Rule that are designated to "addressable" rather than "required"; covered entity must implement the specification as written, an alternative or document that the res does not apply to the organization or with negligiable probablility

For protected health information to be deidentified per the Safe Harbor Deidentification method, 16 data elements must be removed. a. True b. False

b. False, 18 data elements p316

______ is individually identifiable health information held or transmitted by a covered entity or business associate. a. Designated Record Set b. Protected Health Information (PHI) c. Disclosure List d. Directory Information

b. Protected Health Information (PHI), 307

The ______ requires organizations to implement policies and procedures to safeguard the facility and equipment from unauthorized access, tampering, and theft. a. Contingency Plan b. Security Plan c. Media and Device Controls d. Emergency Mode Operations Plan

b. Security Plan (?)

The HITECH-HIPAA Omnibus Privacy Act a. established the Privacy Rule b. was enacted in response to strengthen HITECH Act privacy and security requirements c. distinguished the difference between privacy, confidentiality, and security d. identified addressable standards for the Security Rule

b. was enacted in response to strengthen HITECH Act privacy and security requirements, 310

______ is text that is considered unreadable or unusable. a. Plaintext b. Cryptographic key c. Ciphertext d. Decryption

c. Ciphertext p327

When implementing a health information exchange, the following two areas were common gaps relating to privacy and security identified by HIMSS and AHIMA: a. Patient consent/authorization and PHI access audit trails b. PHI access audit trails and user authentication c. Patient consent/authorization and restriction of sensitive information d. Restriction of sensitive information and user authentication

c. Patient consent/authorization and restriction of sensitive information, p331

Standards that are mandated and must be implemented as written by the HIPAA Security Rule are called a. Addressable standards b. Terminology standards c. Required standards d. Privacy standards

c. Required standards p309

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was originally established to achieve all of the following except a. protect against fraud and abuse b. ensure health insurance continuity c. establish standard terminology for EHRs d. set standards for electronic claims

c. establish standard terminology for EHRs, p307

The Privacy and Security Rules require workforce training that a. is conducted face-to-face b. occurs only when an employee is hired c. includes general training, job specific training, and ongoing training d. covers the patient's responsibility in the security of their PHI

c. includes general training, job specific training, and ongoing training, p335

Virus

computer program, typically hidden, that attaches itself to other program (host) and has the ability to replicate and cause various forms of harm to the data

Criticality Analysis

consist of evaluating each of the different systems in the or. to determine how crucial the information in the system is to day-to-day healthcare operations and patient care

A patient has the right to request a(n) ______, which describes where the covered entity has disclosed patient information for the past 6 years outside of treatment, payment, and healthcare operations. a. Disclosure List b. Designated Record Set c. Amendment of Medical Record d. Accounting of Disclosures

d. Accounting of Disclosures, p316

A part of the policy and procedure that should be created to manage access to a health information exchange should address which of the following? a. Termination of user access b. User access establishment c. Patient consent process d. All of the above

d. All of the above p330-331

The following should be established when allowing workforce members to use mobile devices to get access to PHI a. Mobile device policies and procedures b. Procedures for reporting lost or stolen devices c. Acceptable behaviors and use of ePHI on mobile technology d. All of the above

d. All of the above, 332-333

The Security Rule specifies ______ that must be in place to protect information systems, buildings, and equipment from natural and environmental hazards. a. Technical safeguards b. Organizational safeguards c. Administrative safeguards d. Physical safeguards

d. Physical safeguards, p309

Malware programs that reproduce on their own that have no need for a host application are ______. a. Logic bombs b. Rootkits c. Viruses d. Worms

d. worms p328

Data in Motion

data that are in the process of being transmitted from one location to another location such as an e-mail

Compound Authorization

defined by HIPAA, authorization cannot be extended to include other documents except in clearly defined instances (ie disclosure of PHI for research study can extend to another study)

Designated record set (DRS)

defined by HITEC, group of records maintained by or for a covered entity that is 1) medical records and billing records about individuals 2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan 3) used by or for the covered entity to make decisions about individuals

Covered entiity

defined by HITECH, 1) a health plan 2) a healthcare clearing house 3) healthcare provider who transmits any health information in eforms in connection with a transaction covered

Reasonable cause

defined by HITECH, an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associated did not act with willful neglect

Willful neglect

defined by HITECH, conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated

Authorization

defined by HITECH, covered entity may not use or disclose protected health information without an authorization that is valid

Breach

defined by HITECH, the acquisition, access, use, or discolsure of PHI in a manner not permitted under secuity or privacy rules

Required Standards

defined by HITECH, under Security Rule are implementation specifications which are detailed instructions for implementing a particular standard.

Transfer the risk

outsourcing or insuring the risk against any potential loss to the org.

Bring your own device

personal devices that are allowed to be used within a healthcare organization and interact with electronic protected health information (ePHI)

Stringent

refers to state laws, if state laws exceed federal law standards

Breach Notification Rule

requires covered entities to establish policies and procedures to investigate an unauthorized use or disclosure of PHI to determine if a breach occured and to notify affected individuals and the Dept. of HHS

Residual Risk

risk that remains after no additional controls are implemented

Assessment

systematic collection and review of information pertaining to an individual who wants to receive helathcare services or enter a healthcare setting

Deidentification

the act of removing from a health record or data set any information that could be used to identify the individual to whom the data apply in order to protect his or her confidentiality

Worm

type of computer virus, usually transferred from computer to computer via e-mail, that can replicate itself and use memory but cannot attach itself to other programs (ie, host)

Rootkit

type of malicious software that will remotely access or control a computer without being detected by users or security programs


Related study sets

~Module 2, Topic 1: The Highway Transportation System~

View Set

Factors & GCF, Prime Factorization Practice

View Set